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Abstract 

Several concrete examples in quantum information are discussed 
to demonstrate the importance of proper modeling that relates the 
mathematical description to real-world applications. In particular, it 
is shown that some commonly accepted conclusions are not adequately 
supported by their purported justifications in the logical manner re- 
quired. 

1 Introduction 

This paper describes the major part of my talk at the 2006 QCMC meeting. 
(The rest on unconditionally secure quantum bit commitment are included in 
my writeup in this volume for my poster paper.) It may be viewed as a con- 
crete elaboration of my points on the role of mathematical modeling and rigor 
in real- world applications discussed in [1] and [2]. In the context of quantum 
information, such consideration is especially important and indispensable, if 
we ever want to develop a true quantum information technology. There are 
three main points in the following that are presented in three sections: 
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(i) Entropy or mutual information that the attacker possesses on a gen- 
erated key is not a good quantitative measure of security in real cryp- 
tosystems. 

(ii) Given the entropy criterion, there is no security proof, unconditional 
or just limited ones that include all currently feasible attacks, for any 
experimental BB84 system. 

(iii) Loss is a major limiting factor on many quantum information systems 
that has not been properly dealt with theoretically. 

These assertions may appear startling to many, as they are contrary to 
the "accepted opinion", if 1 may say, of much of the quantum information 
community. However, at this point of writing, I believe they are incontro- 
vertible truths. I hope this is substantiated in the following. 

2 Performance Criteria and Security Guar- 
antee 

Let us consider the issue of security measure on the generated key Kg in a 
quantum key generation (QKG) system. Eve's Shannon entropy HE{Kg), 
or equivalently her mutual information Ie = \Kg\ — HE^Kg), is the most 
commonly used measure. If Eve's knowledge of Kg is bit by bit, the binary 
entropy of a bit is in one-one correspondence with Eve's bit error rate. How- 
ever, in general Eve has bit-correlated information on Kg, and we may ask: 
What is the concrete security guarantee provided by having Ie < ^ for a given 
level e? The problem arises because Ie or He is a theoretical quantity with 
no operational meaning automatically attached. In standard cryptography, 
this issue does not arise because fresh key generation is considered impos- 
sible [3-5] and was never attempted, while security of other cryptographic 
functions is based on computational complexity. 

In ordinary communications, the operational significance of the entropic 
quantities is given through the Shannon source and channel coding theorems, 
which relate them to the empirical quantities of data rate and error rate. 
But what is the corresponding empirical security guarantee in cryptography? 
This issue was not addressed by Shannon in his classic cryptography paper 
written at about the same time as his classic information and communication 
theory papers. It was not addressed by anybody else since. 
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It is clear that entropy is just a one-number representation of a whole 
probability distribution. All questions of security could be answered by know- 
ing the complete distribution, which I would like to call Eve's error profile. 
Let Pi = pE{Kg\Y^ S^), where Kg is an ?7,-bit string, is Eve's observation, 

is her total side information, be ordered pi > ■ ■ ■ > p^, N = 2"-. Thus, pi 
is Eve's maximum probability of guessing Kg correctly with her information. 
As a one- number representation of Pi, pi is of special importance because 
it must be sufficiently small for a meaningful security guarantee. Even for 
moderate \Kg\ ~ 10^ - 10^ it appears that ~ 2 may not be small 
enough for many applications, while pi ~ 2^^° would be a disastrous breach 
of security. 

Generally, if Eve can try m different possible Kg to break the cryptosys- 
tem, the first m pi are the relevant numbers to determine any quantitative 
level of security. For N possible trials, the trial complexity Ct = Y^f=i i ■ Pi 
which is the average number of trials Eve needs to succeed, is a meaningful 
measure of security. The number pi itself is operationally meaningful, and is 
in fact the most suitable measure if a single number has to be used in lieu of 
the whole Pi. 

To illustrate this and the problem of Ie, we observe that given pi < 2^' 
for some /, we have Ct > (2' + l)/2 and Ie < n — I [3]. In the worst case pi, 
one has [3], 

Pi ~ 2"' for Ie/u ~ 2"'. (1) 

Thus, if Eve has 10""^ bit of information per bit of Kg, it is possible that her 
Pi ~ 2~^°. This possibility arises from the possible correlation between the 
bits of Kg that is refiected in Eve's information on the whole Kg. The pi 
that gives one deterministic bit of information to Eve out of \Kg\ = 10^ in 
the above example is the best, not the worst case, for the users. It is not a 
meaningful procedure to average Eve's pi or other measure over the possible 
Pi given a fixed level of Ie, because there is a definite pi that Eve has for the 
given cryptosystem. 

Thus, to ensure proper security via Ie, one must have / sufficiently small 
in Ie/u 2~K It is difficult to ensure exponentially small Ie in an entropic 
analysis of an experimental system. In fact, IeI^ ^ 2^^° is considered very 
good in current experimental BB84 schemes, with 0.1% information leak 
per bit after error correction and privacy amplification [6]. But as analyzed 
above, this does not rule out the possibihty of a disastrous breach of secu- 
rity. This exponential problem persists if the Kolmogorov distance 
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between pi and the uniform distribution is used in lieu of Ie- 

It is possible to use privacy amplification algorithms to guarantee expo- 
nentially small Ie, but the known result [7\ from Renyi entropy is always 
loose by a factor of 2 in the exponent for bounding pi. In addition, Renyi 
entropy is difficult to deal with quantitatively. There is no example in quan- 
tum cryptography in which it has been usefully bounded in the finite n case, 
other than the i.i.d. situation which does not cover all the currently feasible 
attacks. On the other hand, many theoretical results in information and 
communication theory yield directly the exponential behavior of pi. In this 
connection, it is important to observe that / = logpi is the true limit on 
the number of fresh key bits generated in a QKG or classical key generation 
system. Thus, I recommend that pi be employed as the security measure in 
both theoretical and experimental cryptosystem studies. 

Here I would like to mention the following problem of BB84: Since Eve 
can break the system completely by a man-in-the-middle attack if she guesses 
correctly the message authentication key needed for the public channel, 
what is the meaning that a much longer fresh key than \Km\ is still generated? 

3 BB84 Security Proofs 

The assertion I would like to make now is that no complete QKG protocol 
has been given with quantified security level that is proved unconditionally 
secure in a realistic setting including inevitable loss and noise. By a complete 
protocol I mean one which has all the steps specified that can be implemented 
in a real system and which goes all the way to yield a final generated key Kg 
that has proven security, say Ie ^ ^ for a fixed security level e. Such a com- 
plete protocol is needed by an experimentalist to implement a cryptosystem 
with quantified security, granting here that Ie is used as a security measure. 
Such a quantified "secure" cryptosystem is what we need to produce to sub- 
stantiate the claim that we have a "secure" QKG system while there is no 
comparable provenly secure classical cryptosystem. 

This requirement implies that all asymptotic analysis and random cod- 
ing existence proofs with no finite code specified are not sufficient for a real 
cryptosystem that always has a finite bit length and that requires explicitly 
specified protocol steps. Indeed, even if a code is specified, it is not "real- 
istic" when the decoding cannot be carried out in polynomial time. This is 
especially the case in view of the fact, to be shown elsewhere, that exponen- 
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tial inefficiency can be utilized to generate fresh key via exponentially small 
probability of success. 

There are as yet only two papers with unconditional security claim on 
the finite realistic protocols presented that include the effect of noise. In [8], 
the code is not specified and it is not clear if a code, especially one with 
polynomial-time decoding algorithm, can be found in a typical experimen- 
tal parameter region. In [9], the final quantitative result is derived under 
approximation without rigorous bounds. Both [8] and [9] do not include all 
possible attacks in a system with transmission loss, as is the case for every 
security proof given thus far. 

The typical loss of linear attenuation is inevitable and usually consider- 
able in an optical system. Its effect on the security of BB84 or Ekert type 
cryptosystem has never been rigorously determined, while it is accepted by 
many in the "community" that it only affects the throughput of a single- 
photon BB84 system but not its security. That this has not been established 
by a proper analysis is readily seen from the fact that the qubit model is not 
applicable to the situation where the transmission medium is lossy. If only 
the detector is lossy, but Eve is assumed not able to manipulate it, a good 
assumption in most cases, the qubit model holds for transmission. If the 
line is lossy, and Eve is assumed capable of introducing an alternative loss- 
less medium, there are additional attacks she could launch on single-photon 
BB84 similar to the case of coherent-state or multi-photon BB84. Even at 
the individual attack level, she could launch an approximate probabilistic 
cloning attack similar to the unambiguous state discrimination attack in the 
multi-photon case. 

With probabilistic cloning, it is possible to clone nonorthogonal linearly 
independent states with a nonzero, and of course nonunity, probability [TU]. 
Similarly, it may be possible to approximately ra-clone any set of states with a 
nonzero probability and fidelity larger that that obtainable with unity prob- 
ability. This possibility has been explicitly demonstrated [11]. By adjusting 
the probability of success for a given loss level. Eve could launch such an at- 
tack on single-photon BB84 without being detected. If the resulting fidelity 
in a 2-clone is higher. Eve's attack becomes more powerful in the lossy case. 

This possibility has not been analyzed in the literature, although for 
individual attacks it can be shown that the fidelity cannot be increased in 
this way [12]. However, this already shows that a 3-level model of a qubit 
in loss is necessary to represent the physical situation, so that all possible 
attacks by Eve are accounted for in a joint attack. Actually, an infinite- 
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dimensional multimode model should be used. This analysis is currently 
lacking. In particular, the use of decoy states [TH] in multi-photon BB84 in 
loss does not solve the security problem of such sources in loss, because at 
best the problem of single-photon BB84 in loss remains. 

Actually, 1 believe there are several problems in the current proofs of BB84 
security that make the validity of various arguments quite questionable. They 
will be addressed elsewhere. A lot of these problems center around the issue of 
how one may be able to make rigorous assertions on a multi-correlated system 
by examining just one copy. It also appears to me that only symmetrized 
joint attacks are included in the current proofs. It has not been shown why 
unsymmetrical attacks, especially adaptive ones, could not do better. These 
problems disappear in the case of individual attacks. However, for such 
attack, the problem of fully accounting for the side information that can be 
exploited in just collective classical processing is difficult, and many errors 
on this issue in the literature can be found [H]. On the other hand, there 
is no such problem in the KCQ (Keyed Communication in Quantum Noise) 
approach [T5] . 

Note added: The issues of Sections 2 and 3 are being addressed by 
M. Hayashi and applied to the experiment of A. Tomita. The security and 
efficiency analysis of BB84 including especially message authentication will 
be presented by our group shortly. 

4 Loss in Quantum Metrology and Quantum 
Computation 

Loss is a major limiting factor on the quantum effects obtainable in a physical 
system, which is well-known in quantum optics in the case of squeezing [TB] 
and especially superposition of "macroscopic states" [TTIIIH]. Recently, it has 
been proposed that the NOON state |^) = -^{\N)\0) + |0)|A^)) for number 
state |A^) could lead to improved interferometric measurements with , e.g., a 
phase resolution A(f) ~ instead of the ~ 1/\/N obtained with coherent 
states. They would find many apphcations under the heading of "quantum 
metrology". Actually, squeezed states alone on a single mode would lead 
to such improvement without entanglement, which is the optimum value 



6 



obtainable for a fixed [TB]. Also, the state 

|0) = i=(|iV)|iV-l) + |iV-l)|iV)) (2) 

leads to similar improvement |19] as the NOON state and can be more 
closely generated by optical parametric processes. 

Superposition of macroscopic states is "supersensitive" to loss. I have 
re-emphasized the significance of this phenomenon in quantum information 
[2l[2Uj. Consider the state -^(|'^i)|^2) + \n2)\ni)) for number states |n), with 
p the corresponding density operator. Let p' be the incoherent superposition 
p' = |n2) (nil (n2| + |n2)|ni)(n2|(ni|). If the system is in typical linear 

loss with transmittance rj, it is readily computed that the trace distance is 

m 

= 2r/"i+"^ (3) 

Thus, for large rii + n2,\\p — p'\\i ~ 2e~^ and the system effectively deco- 
heres with the loss of one photon. For a large NOON state, a fractional 
loss of would already destroy the quantum effect responsible for the A0 
improvement. Furthermore, (3) shows qualitatively that the entanglement 
effect responsible for the improvement of any usual performance criterion is 
wiped out with a tiny loss. This should remain true for any other entangle- 
ment of macroscopic states. The coherent state case is also worked out in 
ref. [20]. 

I believe a similar supersensitivity obtains in a long multi-qubit entangle- 
ment for quantum computation, which cannot be removed by fault-tolerant 
quantum computing or "quantum leak plumbing". The reason is that the 
terms in a long superposition of many qubits also contain many quanta, which 
would become supersensitive in the presence of loss similar to the NOON 
state. The situation cannot be rectified by fault-tolerant qubits which are 
themselves lossy. Also, quantum leak plumbing disturbs the system in an 
unpredictable way even if no leak is found. To my knowledge, this whole 
issue has not been properly treated theoretically in the literature. While 
linear loss is significant in all current experimental quantum computation 
schemes, there are many other theoretical schemes in which such loss can be 
made negligible. However, the moral I would like to draw here is that we 
should incorporate all the small but perhaps ultimately significant pertur- 
bations in the theoretical study of quantum information systems, and one 
should not believe that a system would do what it is designed for without 
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such perturbations and small details fully taken into account in the system 
model. 



5 Conclusion 

There is currently a huge divide between theory and experiment on quantum 
information systems, even just on a small scale. I believe this arises also from 
inadequate modeling of the system as in the large scale case discussed above. 
In cryptography, there is the further complication that security guarantee 
has to be obtained with mathematical rigor, assuming the model is complete 
and correct. It is possible to show that a cryptosystem is insecure by an 
experiment or a simulation, but it is not possible to prove a cryptosystem 
secure by such means or by other qualitative reasoning. This point I made in 
[1] comes in full force for security guarantee. We should be extra careful in 
our modeling and proofs of quantum cryptographic systems. Finally, there is 
the question whether any useful concrete system can be built for a realistic 
application if it is so mo del- sensitive as in the BB84 case, an issue we have 
not discussed but is widely known. 
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